EP2624123A2 - Informationsverarbeitungssystem, Informationsverarbeitungsvorrichtung und Authentifizierungsverfahren - Google Patents

Informationsverarbeitungssystem, Informationsverarbeitungsvorrichtung und Authentifizierungsverfahren Download PDF

Info

Publication number
EP2624123A2
EP2624123A2 EP13153043.8A EP13153043A EP2624123A2 EP 2624123 A2 EP2624123 A2 EP 2624123A2 EP 13153043 A EP13153043 A EP 13153043A EP 2624123 A2 EP2624123 A2 EP 2624123A2
Authority
EP
European Patent Office
Prior art keywords
authentication
user
identifier
organization
external apparatus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP13153043.8A
Other languages
English (en)
French (fr)
Other versions
EP2624123B1 (de
EP2624123A3 (de
Inventor
Kazunori Takatsu
Naotoshi Seo
Noriko Kota
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ricoh Co Ltd
Original Assignee
Ricoh Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ricoh Co Ltd filed Critical Ricoh Co Ltd
Publication of EP2624123A2 publication Critical patent/EP2624123A2/de
Publication of EP2624123A3 publication Critical patent/EP2624123A3/de
Application granted granted Critical
Publication of EP2624123B1 publication Critical patent/EP2624123B1/de
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • G06F21/608Secure printing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/12Digital output to print unit, e.g. line printer, chain printer
    • G06F3/1201Dedicated interfaces to print systems
    • G06F3/1202Dedicated interfaces to print systems specifically adapted to achieve a particular effect
    • G06F3/1222Increasing security of the print job
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/12Digital output to print unit, e.g. line printer, chain printer
    • G06F3/1201Dedicated interfaces to print systems
    • G06F3/1223Dedicated interfaces to print systems specifically adapted to use a particular technique
    • G06F3/1237Print job management
    • G06F3/1238Secure printing, e.g. user identification, user rights for device usage, unallowed content, blanking portions or fields of a page, releasing held jobs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/12Digital output to print unit, e.g. line printer, chain printer
    • G06F3/1201Dedicated interfaces to print systems
    • G06F3/1223Dedicated interfaces to print systems specifically adapted to use a particular technique
    • G06F3/1237Print job management
    • G06F3/1267Job repository, e.g. non-scheduled jobs, delay printing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/12Digital output to print unit, e.g. line printer, chain printer
    • G06F3/1201Dedicated interfaces to print systems
    • G06F3/1278Dedicated interfaces to print systems specifically adapted to adopt a particular infrastructure
    • G06F3/1285Remote printer device, e.g. being remote from client or server
    • G06F3/1288Remote printer device, e.g. being remote from client or server in client-server-printer device configuration

Definitions

  • An aspect of this disclosure relates to an information processing system, an information processing apparatus, and an authentication method.
  • Japanese Laid-Open Patent Publication No. 2008-182699 discloses a printing system where print jobs received from terminals such as personal computers (PC) are not immediately printed but stored in an information processing apparatus such as a print server, and a logged-in user selects a print job from a list of the stored print jobs and prints the selected print job on an image forming apparatus such as a multifunction peripheral.
  • a printing system or method is called a "pull-printing system" or method (see, for example, Japanese Laid-Open Patent Publication No. 2008-182699 ).
  • user authentication is normally performed to maintain information security when a user prints a print job stored in an information processing apparatus (e.g., print server) on an image forming apparatus (e.g., multifunction peripheral).
  • an information processing apparatus e.g., print server
  • an image forming apparatus e.g., multifunction peripheral
  • a user ID and a password are used to authenticate the user.
  • the third party can execute print jobs stored in the image processing apparatus on any image forming apparatus (which is installed, for example, in a company of the third party or a public environment such as a convenience store) using the stolen user ID and password.
  • an information processing system implemented by one or more information processing apparatuses.
  • the information processing system includes a first receiving unit configured to receive a first user identifier and a first organization identifier via a network from an external apparatus and a first authentication unit configured to perform authentication based on the first user identifier and the first organization identifier by referring to a storage unit storing one or more second user identifiers in association with second organization identifiers.
  • the first authentication unit performs authentication by identifying an organization identifier matching the first organization identifier within the second organization identifiers and identifying a user identifier matching the first user identifier within the second user identifiers associated with the matching organization identifier.
  • FIG. 1 is a drawing illustrating an exemplary configuration of a printing system 1 according to a first embodiment.
  • the printing system 1 may include a network 10 providing a cloud service and a network 20 representing an internal network of, for example, a company.
  • the network 10 and the network 20 are connected to each other via a reverse proxy 11 of the network 10, an external network such as the Internet, and a firewall 23 of the network 20.
  • the reverse proxy 11 is provided at a node between the network 10 and the external network (e.g., the Internet) and relays access from the external network to the inside of the network 10.
  • the firewall 23 is provided at a node between the network 20 and the external network and relays access from the inside of the network 20 to the external network.
  • the network 10 provides a cloud service and includes one or more information processing apparatuses that provide various functions via, for example, Web applications and server applications.
  • the network 10 may include an authentication service unit 12, a print job management service unit 13, an asynchronous conversion service unit 15, an authentication database (DB), a job management database (DB), and a print file storage that are functional units implemented by the information processing apparatuses.
  • the network 20 is, for example, an internal network of a company and may include at least one terminal 21 and at least one image forming apparatus 22.
  • the terminal 21 may be implemented by any apparatus such as a smartphone, a cell phone, a personal computer (PC), a tablet PC, or a projector that can enter (or output) a print job.
  • the image forming apparatus 22 may be implemented by any apparatus such as a multifunction peripheral or a printer that can execute a print job.
  • the terminal 21 sends a print job to the print job management service unit 13 of the network 10 and thereby "enters" the print job.
  • the image forming apparatus 22 receives print data from the print job management service unit 13 of the network 10 and executes the corresponding print job.
  • the firewall 23 is provided to maintain the security of the network 20.
  • the terminal 21 generates data (e.g., application data) to be printed according to user operations, and sends (or enters) a print job including the generated data to the network 10.
  • data e.g., application data
  • the image forming apparatus 22 displays a print job list that is a list of print jobs receivable from the network 10, and allows the user to select a print job from the print job list.
  • a print job is selected by the user from the print job list
  • the image forming apparatus 22 receives print data of the selected print job from the network 10 and prints the print data.
  • the print data is obtained by converting (or rendering) data to be printed (which is hereafter referred to as "print target data”) into a format that the image forming apparatus 22 can print.
  • the reverse proxy 11 functions as a proxy for the print job management service unit 13 and relays a request to the print job management service unit 13.
  • the terminal 21 and the image forming apparatus 22 can access the print job management service unit 13 only via the reverse proxy 11. Accordingly, it is possible to improve the security of the printing system 1 by incorporating a security function in the reverse proxy 11.
  • the authentication service unit 12 performs authentication of the image forming apparatus 22, users operating the terminal 21 and the image forming apparatus 22, and applications installed in the image forming apparatus 22.
  • the authentication service unit 12 performs authentication using the authentication DB.
  • the authentication service unit 12 sends an authentication ticket to the terminal 21.
  • the authentication service unit 12 sends an authentication ticket to the image forming apparatus 22.
  • the print job management service unit 13 manages print jobs sent from (or entered by) the terminal 21 using the job management DB.
  • the asynchronous conversion service unit 15 converts (renders or translates) print target data into print data that the image forming apparatus 22 can print. More specifically, the asynchronous conversion service unit 15 converts print target data into a print file with a format (of, for example, a page description language) that the image forming apparatus 22 can print.
  • the asynchronous conversion service unit 15 converts data into a print file asynchronously with the reception of a conversion request from the print job management service unit 13.
  • the authentication ticket is not sent from the authentication service unit 12 to the image forming apparatus 22 unless the image forming apparatus 22, the user operating the image forming apparatus 22, and an application installed in the image forming apparatus 22 are all successfully authenticated.
  • the third party authentication of an image forming apparatus (which is installed, for example, in a company of the third party or a public environment such as a convenience store) used by the third party fails and the third party cannot obtain and print a print job.
  • image forming apparatuses that can perform pull-printing are limited by authentication. This configuration makes it possible to prevent leakage of information to a third party impersonating an authorized user and thereby improve the security of the printing system 1.
  • FIG. 2 is another drawing illustrating an exemplary configuration of the printing system 1 according to the first embodiment.
  • the network 10 providing a cloud service and the network 20 such as an internal network of a company are connected to each other via a public network 30 such as the Internet.
  • the network 10 may include the reverse proxy 11, an authentication apparatus 31, a print job management apparatus 32, and an asynchronous conversion apparatus 34.
  • the network 20 may include the terminal 21, the image forming apparatus 22, and the firewall 23.
  • the authentication apparatus 31 implements the authentication service unit 12 and the authentication DB of FIG. 1 .
  • the print job management apparatus 32 implements the print job management service unit 13 and the job management DB of FIG. 1 .
  • the asynchronous conversion apparatus 34 implements the asynchronous conversion service unit 15 and the print file storage of FIG. 1 .
  • the authentication apparatus 31, the print job management apparatus 32, and the asynchronous conversion apparatus 34 may be implemented by one computer or two or more computers. Also, the authentication DB, the job management DB, and the print file storage may instead be implemented by database apparatuses and a file storage apparatus that are provided separately from the authentication apparatus 31, the print job management apparatus 32, and the asynchronous conversion apparatus 34.
  • the terminal 21 generates print target data (e.g., document data, image data, etc.) to be printed using software (or applications).
  • the terminal 21 may also store print target data that is received from another apparatus (not shown).
  • the terminal 21 After being authenticated by the authentication apparatus 31, the terminal 21 sends a print job including print target data to the print job management apparatus 32.
  • the print job management apparatus 32 sends a conversion request to the asynchronous conversion apparatus 34 to request conversion of the print target data into a format that the image forming apparatus 22 can print.
  • the asynchronous conversion apparatus 34 converts the print target data into a format that the image forming apparatus 22 can print, asynchronously with the reception of the conversion request from the print job management apparatus 32.
  • the asynchronous conversion apparatus 34 reads the print target data from the print file storage and converts (or renders) the print target data into a print file that the image forming apparatus 22 can print.
  • the image forming apparatus 22 receives a print job list, which is a list of receivable print jobs, from the print job management apparatus 32 after the image forming apparatus 22, the user operating the image forming apparatus 22, and an application installed in the image forming apparatus 22 are all successfully authenticated. Then, the image forming apparatus 22 displays the print job list on, for example, an operations panel and requests the user to select a print job from the print job list. When a print job is selected, the image forming apparatus 22 requests a print file corresponding to the selected print job from the print job management apparatus 32.
  • the print job management apparatus 32 obtains the requested print file from the asynchronous conversion apparatus 34 and sends the obtained print file to the image forming apparatus 22.
  • the image forming apparatus 22 receives and prints the print file.
  • the asynchronous conversion apparatus 34 may convert print target data into a print file asynchronously with the request for the print file from the image forming apparatus 22 to the print job management apparatus 32 (i.e., before the print file is requested).
  • the authentication ticket is not sent from the authentication apparatus 31 to the image forming apparatus 22 unless the image forming apparatus 22, the user operating the image forming apparatus 22, and an application installed in the image forming apparatus 22 are all successfully authenticated.
  • this configuration it is possible to prevent leakage of information to a third party impersonating an authorized user using a stolen user ID and password and thereby maintain the security of the printing system 1.
  • FIG. 3 is a block diagram illustrating an exemplary hardware configuration of the information processing apparatus 100.
  • the information processing apparatus 100 may include an input unit 101, a display unit 102, an external I/F 103, a random access memory (RAM) 104, a read-only memory (ROM) 105, a central processing unit (CPU) 106, a communication I/F 107, and a hard disk drive (HDD) 108 that are connected to each other via a bus B.
  • an input unit 101 a display unit 102, an external I/F 103, a random access memory (RAM) 104, a read-only memory (ROM) 105, a central processing unit (CPU) 106, a communication I/F 107, and a hard disk drive (HDD) 108 that are connected to each other via a bus B.
  • the input unit 101 includes, for example, a keyboard and a mouse, and is used to input instructions (or operation signals) to the information processing apparatus 100.
  • the display unit 102 displays, for example, processing results of the information processing apparatus 100.
  • the communication I/F 107 is an interface for connecting the information processing apparatus 100 to a network.
  • the information processing apparatus 100 can perform data communications with other apparatuses via the communication I/F 107.
  • the HDD 108 is a non-volatile storage device for storing various programs and data.
  • the HDD 108 stores basic software or an operating system (OS) for controlling the entire information processing apparatus 100, and application software for providing various functions on the OS.
  • the HDD 108 may manage the stored programs and data using a file system and/or a database (DB).
  • OS operating system
  • DB database
  • the external I/F 103 is an interface between the information processing apparatus 100 and an external device such as a storage medium 103a.
  • the information processing apparatus 100 can read and write data from and to the storage medium 103a via the external I/F 103.
  • the storage medium 103a may be implemented by, for example, a flexible disk, a compact disk (CD), a digital versatile disk (DVD), a secure digital (SD) memory card, or a universal serial bus (USB) memory.
  • the ROM 105 is a non-volatile semiconductor memory (storage unit) that can retain programs and data even when power is turned off.
  • the ROM 105 stores programs and data such as a basic input/output system (BIOS) that is executed when the information processing apparatus 100 is turned on, and system and network settings of the information processing apparatus 100.
  • the RAM 104 is a volatile semiconductor memory (storage unit) for temporarily storing programs and data.
  • the CPU (processor) 106 loads programs and data from storage units (e.g., the HDD 108 and the ROM 105) into the RAM 104 and executes the loaded programs to control the information processing apparatus 100 and to implement various functional units of the information processing apparatus 100.
  • storage units e.g., the HDD 108 and the ROM 105
  • the authentication apparatus 31, the print job management apparatus 32, and the asynchronous conversion apparatus 34 can perform processes as described later.
  • the hardware configurations of the reverse proxy 11, the terminal 21, the image forming apparatus 22, and the firewall 23 are omitted here, these apparatuses may also have a hardware configuration similar to that illustrated in FIG. 3 .
  • an administrator having administrative rights of the network 20 accesses a uniform resource locator (URL) of the authentication apparatus 31 by using, for example, a browser of the terminal 21 and registers tables as illustrated in FIGs. 4A through 4C in the authentication DB.
  • URL uniform resource locator
  • FIGs. 4A through 4C are exemplary tables registered in the authentication DB.
  • FIG. 4A is a table storing company IDs, company names, user IDs, user names, and passwords that are associated with each other.
  • FIG. 4B is a table storing company IDs and device IDs that are associated with each other.
  • FIG. 4C is a table storing a basic authentication code.
  • the company IDs are identification information for uniquely identifying companies or other types of organizations.
  • the company names are names of companies.
  • the user IDs are identification information for uniquely identifying users.
  • the user names are names of users.
  • the passwords are secret identification information.
  • the device IDs are identification information (e.g., serial numbers) for uniquely identifying image forming apparatuses 22.
  • the basic authentication code is used for basic authentication.
  • the basic authentication code may be identification information for uniquely identifying an application installed in the image forming apparatus 22.
  • the user of the terminal 21 and the image forming apparatus 22 can be authenticated by entering a company name, a user name, and a password.
  • the image forming apparatus 22 can be authenticated.
  • the table of FIG. 4C registered in the authentication DB, an application of the image forming apparatus 22 can be authenticated.
  • companies and users belonging to the companies are associated with each other.
  • companies and devices such as the image forming apparatuses 22 installed in the companies are associated with each other.
  • a URL for accessing the authentication apparatus 31 from the image forming apparatus 22 is different from a URL for accessing the authentication apparatus 31 from the terminal 21 located in the same company as the image forming apparatus 22.
  • the image forming apparatus 22 establishes a secure socket layer (SSL) connection with the reverse proxy 11. Then, the reverse proxy 11 requests the image forming apparatus 22 to submit a client certificate.
  • the client certificate may be set in the image forming apparatus 22 before the factory shipment or obtained by the image forming apparatus 22 after the factory shipment.
  • the image forming apparatus 22 is authenticated (or certified) as a device that is located in the same company as the terminal 21. Meanwhile, the user of the terminal 21 and the image forming apparatus 22 is authenticated by the authentication apparatus 31 by sending a user ID and a password to the authentication apparatus 31 or by using a pre-registered card ID.
  • the image forming apparatus 22 is certified as a device located in the same company as the terminal 21 by establishing an SSL connection and submitting a client certificate obtained in advance.
  • the SSL connection if the client certificate has been issued from an authentication apparatus that is not trusted by the network 10, the image forming apparatus 22 cannot access the network 10.
  • an organization Before using the cloud service of the network 10, an organization such as a company or a university needs to subscribe to the cloud service so that an administrator account (e.g., a company ID, a user ID, and a password) for the organization is registered at the network 10. Also, it is necessary to install, in the image forming apparatus 22, a dedicated application for connecting to an application providing the cloud service and make connection settings (e.g., proxy information setting) for connection to the application.
  • connection settings e.g., proxy information setting
  • a device ID is registered in association with the organization
  • a user ID and a password user account
  • the company ID is an example of an organization ID.
  • FIG. 5 is a flowchart illustrating an exemplary print job registration process.
  • the printing system 1 is configured as illustrated in FIG. 1 .
  • the user performs a login operation by entering a company ID, a user ID, and a password using, for example, a browser of the terminal 21.
  • the authentication service unit 12 of the network 10 performs authentication of the user by referring to the authentication DB as illustrated in FIGs. 4A through 4C .
  • the authentication service unit 12 determines that the user is an authorized user and the login is successful.
  • the terminal 21 When the login is successful, the terminal 21 is redirected to a screen of the print job management service unit 13 of the network 10. In other words, the terminal 21 is directed to a different URL.
  • step S2 the user uploads a print target file (or print target data) to be printed, from the terminal 21 to the print job management service unit 13.
  • the user may also upload printing conditions together with the print target file to the print job management service unit 13.
  • the printing conditions may include, for example, duplex or single-side printing and the number of copies.
  • the user may upload plural print target files from the terminal 21 to the print job management service unit 13.
  • step S3 the print job management service 13 sends a conversion request including the file name of the uploaded print target file and the printing conditions to the asynchronous conversion service unit 15.
  • the print job management service unit 13 associates the uploaded print target file, the company ID, and the user ID using the job management DB with each other to manage print jobs.
  • step S4 the asynchronous conversion service unit 15 converts the print target file indicated by the conversion request based on the printing conditions in the conversion request into a print file that the image forming apparatus 22 can print.
  • Step S4 is performed asynchronously with the reception of the conversion request.
  • the asynchronous conversion service unit 15 stores the print file obtained by converting the print target file in, for example, the print file storage.
  • FIG. 6 is a flowchart illustrating an exemplary printing process.
  • the user enters a user ID and a password by operating, for example, an operations panel of the image forming apparatus 22.
  • the image forming apparatus 22 establishes an SSL connection with the reverse proxy 11 using a client certificate associated in advance with the image forming apparatus 22.
  • the image forming apparatus 22 sends a device ID (e.g., a serial number) unique to the image forming apparatus 22, an application ID for uniquely identifying an application installed in the image forming apparatus 22, the user ID, the password, and a company ID set in the image forming apparatus 22 to the authentication service unit 12.
  • a device ID e.g., a serial number
  • step S10 the authentication service unit 12 performs authentication of the application installed in the image forming apparatus 22.
  • the authentication service unit 12 determines that the application is valid and the authentication is successful.
  • step S11 the authentication service unit 12 performs authentication of the image forming apparatus 22.
  • the authentication service unit 12 determines that the image forming apparatus 22 is valid and the authentication is successful.
  • the image forming apparatus 22 is recognized as a valid device based on the client certificate. Also, since the image forming apparatus 22 is associated with a company ID as illustrated in FIG. 4B , it is determined in step S11 that the image forming apparatus 22 belongs to a company indicated by the company ID.
  • step S12 the authentication service unit 12 performs authentication of the user of the image forming apparatus 22.
  • the authentication service unit 12 performs authentication of the user by referring to the table of FIG. 4A based on the user ID, the password, and the company ID sent from the image forming apparatus 22.
  • the authentication service unit 12 determines that the user is an authorized user and the authentication is successful.
  • the image forming apparatus 22 receives an authentication ticket from the authentication service unit 12.
  • step S13 the image forming apparatus 22 requests a print job list from the print job management service unit 13 by using the authentication ticket.
  • the validity of the authentication ticket is confirmed, for example, by a policy agent (Web agent) provided in the reverse proxy 11.
  • a company ID and a user ID associated with the authentication ticket may be sent to the print job management service unit 13 together with the request for the print job list.
  • the policy agent is a component that obtains policy information and sends the obtained policy information to another component that needs the policy information to provide a security service.
  • the print job management service unit 13 requests the asynchronous conversion service unit 15 to send a conversion completion list, which indicates format conversion status, i.e., whether print target files have been converted into print files, based on a print job list of print jobs that are associated with the print target files, the company ID, and the user ID.
  • a conversion completion list which indicates format conversion status, i.e., whether print target files have been converted into print files, based on a print job list of print jobs that are associated with the print target files, the company ID, and the user ID.
  • the print job management service unit 13 sends the print job list including the format conversion status to the image forming apparatus 22. Then, the image forming apparatus 22 displays the print job list on the operations panel.
  • step S14 the user selects one or more print files (or print jobs) from the displayed print job list and requests printing of the selected print files.
  • the image forming apparatus 22 may be configured to display the print job list such that print files of printable (or receivable) print jobs are displayed as selectable items and print files of non-printable (or non-receivable) print jobs are displayed as non-selectable items. Also, the image forming apparatus 22 may be configured to display the print job list such that all print files of printable print jobs are selected by default to reduce user operations.
  • step S15 the image forming apparatus 22 requests the selected print files from the print job management service unit 13.
  • the print job management service unit 13 obtains the requested print files from the asynchronous conversion service unit 12 and sends the obtained print files to the image forming apparatus 22.
  • the image forming apparatus 22 receives and prints the print files.
  • the authentication ticket is not sent from the authentication service unit 12 to the image forming apparatus 22 unless the image forming apparatus 22, the user of the image forming apparatus 22, and the application of the image forming apparatus 22 are all successfully authenticated.
  • this configuration it is possible to prevent leakage of information to a third party impersonating an authorized user using a stolen user ID and password and thereby maintain the security of the printing system 1.
  • step S10 application authentication of step S10
  • device authentication of step S11 device authentication of step S11
  • user authentication of step S12 are performed in this order.
  • the order of these authentication steps may be changed.
  • the application authentication of step S10 may be omitted.
  • FIGs. 7A and 7B are parts of a sequence chart illustrating details of a print job registration process and a printing process.
  • the printing system 1 is configured as illustrated in FIG. 1 .
  • the terminal 21 establishes an SSL connection with the reverse proxy 11.
  • step S302 the terminal 21 tries to access the print job management service unit 13 via the reverse proxy 11. However, since the terminal 21 has no authentication ticket, the reverse proxy 11 redirects the terminal 21 to a login screen of the authentication service unit 12 in steps S303 and S304.
  • step S305 the terminal 21 receives the login screen.
  • the user performs a login operation on the login screen.
  • step S306 the terminal 21 sends a company ID, a user ID, and a password to the authentication service unit 12.
  • the authentication service unit 12 performs authentication of the user by referring to the table of FIG. 4A in the authentication DB.
  • the authentication service unit 12 determines that the user is an authorized user and the login is successful.
  • the authentication service unit 12 sends an authentication token (cookie), which is an example of an authentication ticket, to the terminal 21 in step S307.
  • step S308 since the terminal 21 has the authentication token, the terminal 21 is redirected to a print job registration screen of the print job management service unit 13.
  • step S309 the print job management service unit 13 sends the print job registration screen to the terminal 21.
  • the terminal 21 receives and displays the print job registration screen.
  • the user specifies a print target file (e.g., a document) on the print job registration screen.
  • the user can also specify printing conditions on the print job registration screen.
  • step S310 the terminal 21 sends the print target file and the printing conditions to the print job management service 13.
  • step S311 the print job management service unit 12 sends a conversion request to the asynchronous conversion service 15 to request conversion of the print target file into a format that the image forming apparatus 22 can print.
  • step S312 the asynchronous conversion service 15 returns a request reception report to the print job management service unit 13.
  • step S313 the print job management service unit 13 sends, to the terminal 21, a print job registration report indicating that a print job has been successfully registered.
  • the asynchronous conversion service unit 15 converts the print target file indicated by the conversion request into a print file with a format that the image forming apparatus 22 can print.
  • the asynchronous conversion service 15 converts the print target file asynchronously with the reception of the conversion request at step S311.
  • the asynchronous conversion service unit 15 stores the print file obtained by converting the print target file in the print file storage.
  • the user operating the terminal 21 moves to a location where the image forming apparatus 22 is installed.
  • the user starts an application of the image forming apparatus 22 and enters a user ID and a password.
  • step S314 the image forming apparatus 22 establishes an SSL connection with the reverse proxy 11 using a client certificate.
  • step S315 the image forming apparatus 22 sends a company ID, a user ID, a password, a device ID, and an application ID to the authentication service unit 12.
  • the authentication service unit 12 confirms the validity of the application (application authentication), the validity of the company, and the validity (location or presence) of the image forming apparatus 22 (device authentication).
  • the authentication service unit 12 When the validity of the application and the image forming apparatus 22 is successfully confirmed (i.e., when the application authentication and the device authentication are successful), the authentication service unit 12 performs user authentication.
  • the authentication service unit 12 performs user authentication by referring to the table of FIG. 4A (authentication DB) based on the user ID, the password, and the company ID sent from the image forming apparatus 22.
  • step S316 the authentication service unit 12 sends an authentication token to the image forming apparatus 22.
  • step S317 the image forming apparatus 22 requests a print job list from the print job management service 13 using the authentication token, and also sends the device ID to the print job management service unit 13.
  • the validity of the authentication token is confirmed, for example, by a policy agent provided in the reverse proxy 11.
  • the reverse proxy 11 sends the company ID and the user ID associated with the authentication token to the print job management service 13 together with the request for the print job list.
  • step S318 the print job management service unit 13 requests the asynchronous conversion service unit 15 to send a conversion completion list indicating format conversion status, i.e., whether print target files have been converted into print files.
  • step S319 the asynchronous conversion service unit 15 sends the conversion completion list to the print job management service 13.
  • step S320 the print job management service unit 13 sends the print job list including the format conversion status to the image forming apparatus 22.
  • the image forming apparatus 22 displays the print job list on the operations panel. Then, the user selects one or more print files (i.e., documents the user needs to print) from the displayed print job list and requests printing of the selected print files (e.g., by pressing a print button).
  • step S321 the image forming apparatus 22 requests the selected print files (or documents to be printed) from the print job management service unit 13, and also sends the device ID to the print job management service unit 13.
  • step S322 the print job management service unit 13 requests the asynchronous conversion service unit 15 to send the print files requested by the image forming apparatus 22.
  • step S323 the asynchronous conversion service unit 15 sends the requested print files (or documents to be printed) to the print job management service unit 13.
  • step S324 the print job management service unit 13 sends the requested print files (or documents to be printed) to the image forming apparatus 22.
  • The, the image forming apparatus 22 receives and prints the print files.
  • FIG. 8 is a drawing used to describe steps S301 through S309 of FIG. 7A in more detail.
  • the authentication service unit 12 may include a login UI 121, an authentication unit 122, a user API 123, and an authentication DB 124.
  • the login UI 121 is a user interface for logging in.
  • the authentication unit 122 performs authentication using the authentication DB 124.
  • the authentication unit 122 may be implemented, for example, by OpenAM.
  • OpenAM is authentication platform software that provides a single sign-on (SSO) architecture.
  • the authentication unit 122 performs authentication based on company IDs, user IDs, and passwords stored in the authentication DB 124, which is an example of a user data store, and also performs authentication based on client certificates.
  • the user API 123 is an application programming interface that receives requests to confirm the validity of authentication tokens from Web applications such as the print job management service unit 13 and other applications, and returns confirmation results to those applications.
  • step S301 the terminal 21 establishes an SSL connection with the reverse proxy 11.
  • step S302 the terminal 21 tries to access the print job management service unit 13 via the reverse proxy 11.
  • the reverse proxy 11 confirms whether a request (which may be referred to as an "access request") from the terminal 21 to access the print job management service 13 includes an authentication token.
  • the reverse proxy 11 redirects the terminal 21 to the login UI 121 of the authentication service unit 12 in steps S303 and S304.
  • step S305 the login UI 121 sends a login screen to the terminal 21, and the terminal 21 receives the login screen.
  • the user performs a login operation on the login screen.
  • step S306 the terminal 21 sends a company ID, a user ID, and a password to the login UI 121 of the authentication service unit 12.
  • step S306a the login UI 121 requests the authentication unit 122 to authenticate the user based on the company ID, the user ID, and the password received from the terminal 21.
  • step S306b the authentication unit 122 performs authentication by referring to the authentication DB 124. For example, when the combination of the company ID, the user ID, and the password sent from the terminal 21 is registered in the table of FIG. 4A (in the authentication DB 124), the authentication unit 122 determines that the user is an authorized user.
  • the authentication unit 122 sends an authentication token to the login UI 121 in step S306c.
  • the login UI 121 sends the authentication token received from the authentication unit 122 to the terminal 21.
  • step S308 the terminal 21 tries to access the print job management service unit 13 via the reverse proxy 11.
  • the reverse proxy 11 confirms whether the access request from the terminal 21 to access the print job management service 13 includes an authentication token.
  • the reverse proxy 11 queries a Web agent 111 whether the authentication token is in a cache.
  • the Web agent 111 in step S308a, requests and receives contents of the authentication token from the authentication unit 122.
  • the Web agent 111 stores the received contents of the authentication token in the cache.
  • the contents of the authentication token cached by the Web agent 111 may include, for example, a company ID, a user ID, and an accessible destination.
  • the reverse proxy 11 in step S308b, redirects the terminal 21 to a print job registration screen of the print job management service unit 13. In this step, the reverse proxy 11 also sends the company ID and the user ID associated with the authentication token to the print job management service unit 13.
  • step S308c the print job management service unit 13 requests the user API 123 of the authentication service unit 12 to confirm the validity of the received authentication token.
  • step S308d the user API 123 requests the authentication unit 122 to confirm the validity of the authentication token and receives the confirmation result.
  • step S308e the print job management service unit 13 receives the confirmation result of the validity of the authentication token from the user API 123.
  • the print job management service unit 13 in steps S309 and S309a, sends the print job registration screen to the terminal 21.
  • the terminal 21 receives and displays the print job registration screen.
  • FIG. 9 is a drawing used to describe steps S314 through S317 of FIG. 7B in more detail.
  • the authentication service unit 12 may include a relay API 125 in addition to the components of the authentication service unit 12 illustrated in FIG. 8 .
  • the relay API 125 is an authentication application programming interface (API) for devices such as the image forming apparatus 22.
  • the relay API 125 receives an authentication request from the image forming apparatus 22 and returns an authentication result to the image forming apparatus 22.
  • API application programming interface
  • step S314 the image forming apparatus 22 establishes an SSL connection with the reverse proxy 11 using a client certificate.
  • step S315 the image forming apparatus 22 sends an authentication request including a company ID, a user ID, a password, a device ID, and an application ID to the relay API 125 of the authentication service unit 12.
  • step S315a when the application ID sent from the image forming apparatus 22 is registered in the authentication DB 124 as the basic authentication code (see FIG. 4C ), the relay API 125 determines that the application is valid and the application authentication is successful.
  • the relay API 125 determines that the image forming apparatus 22 is valid and the device authentication is successful.
  • step S315b the relay API 125 requests the authentication unit 122 to authenticate the user based on the user ID, the password, and the company ID sent from the image forming apparatus 22.
  • step S315c when the combination of the user ID, the password, and the company ID sent from the image forming apparatus 22 is registered in the table of FIG. 4A (in the authentication DB 124), the authentication unit 122 determines that the user is an authorized user and the user authentication is successful.
  • the authentication unit 122 sends an authentication token to the relay API 125 in step S315d.
  • the relay API 125 sends the authentication token received from the authentication unit 122 to the image forming apparatus 22.
  • step S317 the image forming apparatus 22 tries to access the print job management service unit 13 via the reverse proxy 11 to request a print job list.
  • the reverse proxy 11 confirms whether the access request to the print job management service 13 includes an authentication token.
  • the reverse proxy 11 queries the Web agent 111 whether the authentication token is in a cache.
  • the Web agent 111 in step S317a, requests and receives contents of the authentication token from the authentication unit 122.
  • the Web agent 111 stores the received contents of the authentication token in the cache.
  • the contents of the authentication token cached by the Web agent 111 may include, for example, a company ID, a user ID, and an accessible destination.
  • the reverse proxy 11 in step S317b, requests a print job list from the print job management service unit 13 and also sends the device ID to the print job management service unit 13. Also in this step, the reverse proxy 11 sends the company ID and the user ID associated with the authentication token to the print job management service unit 13.
  • step S317c the print job management service unit 13 requests the user API 123 of the authentication service unit 12 to confirm the validity of the received authentication token.
  • step S317d the user API 123 requests the authentication unit 122 to confirm the validity of the authentication token and receives the confirmation result.
  • step S317e the print job management service unit 13 receives the confirmation result of the validity of the authentication token from the user API 123.
  • the print job management service unit 13 can proceed to step S318.
  • devices used for printing e.g., the image forming apparatuses 22
  • devices used for printing are registered in association with companies, and only documents registered as print jobs of the companies are printed from the registered devices.
  • a print file registered as a print job of a company cannot be output from a device (e.g., the image forming apparatus 22) of another company.
  • device authentication is performed before user authentication, so that the user authentication is performed only when it is requested from a valid device. Accordingly, this configuration makes it possible to prevent leakage of print jobs to a third party impersonating an authorized user.
  • a user can obtain a print file and print the print file on an image forming apparatus 22 only when the user, the image forming apparatus 22, and an application installed in the image forming apparatus 22 are all successfully authenticated.
  • a print file of a user can be printed only on an image forming apparatus 22 that is associated with the company ID of a company to which the user belongs. Accordingly, this configuration makes it possible to prevent leakage of information to a third party impersonating an authorized user using a stolen user ID and password and thereby makes it possible to improve security.
  • a printing system is configured such that user IDs and passwords are not sent via the public network 30 such as the Internet.
  • an authentication system of the network 10 providing a cloud service using a Security Assertion Markup Language (SAML) collaborates with an authentication system of the network 20 (e.g., an internal network of a company) to provide a single sign-on architecture.
  • SAML Security Assertion Markup Language
  • FIG. 10 is a drawing used to describe a single sign-on architecture.
  • an identity provider (IdP) 200 is, for example, an authentication server or an authentication apparatus that provides authentication information.
  • a user 201 authenticated by the IdP 200 can access a service provided by a service provider (SP) 202.
  • the SP 202 includes a Web application 203 that is a target of single sign-on.
  • the SP 202 provides a service to the user 201 based on authentication information (assertion) issued by the IdP 200.
  • the SP 202 authorizes the user 201 to use a service based on the authentication information.
  • the user 201 may be authorized by an agent of OpenAM.
  • step S351 the user 201 logs into the IdP 200, which provides an authentication platform and manages IDs, via a terminal such as a PC.
  • step S352 the IdP 200 authenticates the user 201 and issues authentication information called "assertion”. The user 201 sends the authentication information issued by the IdP 200 to the SP 202.
  • the Web application 203 of the SP 202 supports SAML.
  • SAML is a framework for exchanging authentication information via the Extensible Markup Language (XML).
  • the SP 202 receives the authentication information and provides a service to the user 201.
  • the user 201 can access the Web application 203 of the SP 202 without performing an additional login operation. This indicates that a relationship of trust is built beforehand between the IdP 200 and the SP 202.
  • the IdP 200 and the SP 202 share the account information of the user 201 and use the same authentication information to enable single sign-on.
  • the user 201 can log into the print job management apparatus 32 of the network 10 by just logging into the authentication apparatus of the network 20 using a user ID and a password.
  • device authentication is performed to guarantee that a requesting device is associated with an appropriate company ID and transmission of user IDs and passwords is kept within the network 20 (i.e., an internal network) to improve security.
  • a single sign-on architecture is employed to improve the convenience of the user 201.
  • FIG. 11 is a drawing illustrating an exemplary configuration of a printing system 2 according to the second embodiment.
  • the printing system 2 of FIG. 11 has a configuration similar to the configuration of the printing system 1 of FIG. 1 except that an IdP 24 is added to the network 20.
  • IdP 24 is added to the network 20.
  • the network 20 is, for example, an internal network of a company and may include at least one terminal 21, at least one image forming apparatus 22, and the IdP 24.
  • the IdP 24 may be implemented by one or more information processing apparatuses.
  • the IdP 24 of the network 20 authenticates the terminal 21 and issues an authentication ticket (which may be referred to as "assertion") for the terminal 21.
  • the terminal 21 sends a print job to the print job management service unit 13 of the network 10, i.e., enters the print job, by using the authentication ticket.
  • the IdP 24 of the network 20 also authenticates the image forming apparatus 22 and issues an authentication ticket ("assertion") for the image forming apparatus 22.
  • the image forming apparatus 22 receives a print job (or print data) from the print job management service unit 13 of the network 10 by using the authentication ticket, and executes the print job.
  • the authentication service unit 12 performs user authentication by using the authentication tickets sent from the terminal 21 and the image forming apparatus 22.
  • the authentication service unit 12 also performs authentication of the image forming apparatus 22 and an application installed in the image forming apparatus 22 by using the authentication DB.
  • the authentication service unit 12 sends an authentication ticket to the terminal 21.
  • the image forming apparatus 22, the user operating the image forming apparatus 22, and an application installed in the image forming apparatus 22 are all successfully authenticated, the authentication service unit 12 sends an authentication ticket to the image forming apparatus 22.
  • the IdP 24 provided in the network 20 authenticates a user based on a user ID and a password, and issues an authentication ticket when the user is successfully authenticated. Also in the printing system 2, instead of user IDs and passwords, authentication tickets are sent and received between the network 10 and the network 20. In other words, transmission of user IDs and passwords is kept within the network 20.
  • FIG. 12 is another drawing illustrating an exemplary configuration of the printing system 2 according to the second embodiment.
  • the printing system 2 of FIG. 12 has a configuration similar to the configuration of the printing system 1 of FIG. 2 except that the IdP 24 is added to the network 20.
  • the IdP 24 is added to the network 20.
  • the network 20 may include the terminal 21, the image forming apparatus 22, the firewall 23, and the IdP 24.
  • the IdP 24 authenticates the user of the terminal 21 and issues an authentication ticket ("assertion") for the terminal 21.
  • the terminal 21 sends a print job including data to be printed to the print job management apparatus 32 by using the authentication ticket.
  • the IdP 24 also authenticates the user of the image forming apparatus 22 and issues an authentication ticket for the image forming apparatus 22.
  • the authentication apparatus 31 authenticates the user of the image forming apparatus 22 based on the authentication ticket.
  • the authentication apparatus 31 also authenticates the image forming apparatus 22 and an application installed in the image forming apparatus 22 based on a device ID and an application ID.
  • the image forming apparatus 22 After the user operating the image forming apparatus 22, the image forming apparatus 22 itself, and the application installed in the image forming apparatus 22 are authenticated, the image forming apparatus 22 receives a print job list, which is a list of receivable print jobs, from the print job management apparatus 32.
  • Processes performed after the print job list is received by the image forming apparatus 22 are substantially the same as those described in the first embodiment, and their descriptions are omitted here.
  • authentication based on user IDs and passwords is performed by the IdP 24 provided in the network 20 and the user IDs and the passwords are transmitted only in the network 20.
  • the second embodiment makes it possible to prevent leakage of information to a third party impersonating an authorized user and thereby maintain the security of the printing system 2.
  • the IdP 24 of FIG. 12 may have a hardware configuration similar to the hardware configuration illustrated in FIG. 3 .
  • an administrator having administrative rights of the network 20 accesses a uniform resource locator (URL) of the authentication apparatus 31 by using, for example, a browser of the terminal 21 and registers tables as illustrated in FIGs. 4B and 4C in the authentication DB. Meanwhile, the table of FIG. 4A is registered in an authentication DB (not shown) in the network 20.
  • URL uniform resource locator
  • the user of the terminal 21 and the image forming apparatus 22 can be authenticated by the IdP 24.
  • the image forming apparatus 22 can be authenticated by the authentication apparatus 31.
  • the application of the image forming apparatus 22 can be authenticated by the authentication apparatus 31.
  • a print job registration process and a printing process according to the second embodiment are substantially the same as those in the first embodiment except that authentication by the IdP 24 of the network 20 is performed before authentication by the authentication service unit 12. Therefore, overlapping descriptions may be omitted here.
  • FIGs. 13A and 13B are parts of a sequence chart illustrating an exemplary print job registration process and an exemplary printing process according to the second embodiment.
  • the printing system 2 is configured as illustrated in FIG. 11 .
  • the terminal 21 establishes an SSL connection with the reverse proxy 11.
  • step S402 the terminal 21 tries to access the print job management service unit 13 via the reverse proxy 11. However, since the terminal 21 has no authentication ticket, the reverse proxy 11 redirects the terminal 21 to a login screen of the IdP 24 in steps S403 and S404.
  • step S405 the terminal 21 receives a login screen.
  • the user performs a login operation on the login screen.
  • the terminal 21 sends a user ID and a password to the IdP 24.
  • the IdP 24 performs user authentication by referring to the table in the authentication DB provided in the network 20.
  • the IdP 24 determines that the user is an authorized user and the login is successful.
  • the IdP 24 sends an authentication ticket (assertion) to the terminal 21 in step S407.
  • step S408 the terminal 21 with the authentication ticket is automatically forwarded to the authentication service unit 12.
  • the authentication service unit 12 performs user authentication based on the authentication ticket.
  • the authentication service unit 12 sends an authentication token to the terminal 21.
  • steps S410 through S415 are substantially the same as steps S308 through S313 of FIG. 7A , their descriptions are omitted here.
  • the user operating the terminal 21 moves to a location where the image forming apparatus 22 is installed.
  • the user starts an application of the image forming apparatus 22 and enters a user ID and a password.
  • step S416 the image forming apparatus 22 sends the user ID and the password to the IdP 24.
  • the IdP 24 performs user authentication by referring to the table in the authentication DB provided in the network 20.
  • the IdP 12 determines that the user is an authorized user and the login is successful.
  • the IdP 24 sends an authentication ticket (assertion) to the image forming apparatus 22 in step S417.
  • step S4108 the image forming apparatus 22 establishes an SSL connection with the reverse proxy 11 using a client certificate.
  • step S419 the image forming apparatus 22 sends a company ID, the authentication ticket (assertion), a device ID, and an application ID to the authentication service unit 12.
  • the authentication service unit 12 confirms the validity of the authentication ticket (user authentication), the validity of the application (application authentication), the validity of the company, and the validity (location or presence) of the image forming apparatus 22 (apparatus authentication).
  • step S420 the authentication service unit 12 sends an authentication token to the image forming apparatus 22. Since step S421 and the subsequent steps are substantially the same as step S317 and the subsequent steps of FIG. 7B , their descriptions are omitted here.
  • authentication based on user IDs and passwords is performed by the IdP 24 provided in the network 20 (e.g., an internal network of a company), and authentication tickets are sent and received between the network 10 (which provides a cloud service) and the network 20 instead of user IDs and passwords.
  • the network 20 e.g., an internal network of a company
  • the printing system 2 of the second embodiment transmission of user IDs and passwords is kept within the network 20.
  • the second embodiment makes it possible to prevent leakage of information to a third party impersonating an authorized user and thereby makes it possible maintain the security of the printing system 2.
  • a third embodiment makes it possible to print a print file on an image forming apparatus 22 having a company ID that is different from a company ID associated with the user.
  • FIG. 14 is a drawing illustrating an exemplary configuration of a printing system 3 according to the third embodiment.
  • a network 10 providing a cloud service and networks 20-1 and 20-2 which are, for example, internal networks of companies, are connected to each other via a public network 30 such as the Internet.
  • the network 20-1 private environment B-1) may include a terminal 21 and a firewall 23.
  • the network 20-2 private environment B-2) may include an image forming apparatus 22 and a firewall 23.
  • the printing system 3 of FIG. 14 is similar to the printing system 1 of FIG. 2 except that the terminal 21 and the image forming apparatus 22 are provided separately in the networks 20-1 and 20-2 having different company IDs. Therefore, overlapping descriptions are omitted here.
  • the terminal 21 of the network 20-1 (private environment B-1) and the image forming apparatus 22 of the network 20-2 (private environment B-2) are authenticated by the authentication apparatus 31 of the network 10.
  • the authentication apparatus 31 manages company IDs of the same company or the same corporate group by associating them with a corporate group ID.
  • the authentication apparatus 31 determines whether other company IDs are associated with a corporate group ID that is associated with the company ID "1235".
  • a company ID "1234" is also associated with the corporate group ID associated with the company ID "1235".
  • the authentication apparatus 31 performs user authentication using the company ID "1234" instead of the company ID "1235".
  • the user is associated with the corporate ID "1234", the user is successfully authenticated.
  • a user can be successfully authenticated and can print a print file even when the company ID (e.g., "1234") of the user is different from the company ID (e.g., "1235") of the image forming apparatus 22 being operated by the user as long as the company IDs are associated with the same corporate group ID.
  • the company ID e.g., "1234"
  • the company ID e.g., "1235"
  • Processes other than a user authentication process performed in the printing system 3 of the third embodiment are substantially the same as those performed in the printing system 1 of the first embodiment, and their descriptions are omitted here.
  • a user can print a print file using an image forming apparatus 22 (or any other device) that is located in a company to which the user belongs or a company in the same corporate group even if the company ID of the image forming apparatus 22 is different from the company ID of the user.
  • the third embodiment also makes it possible to prevent leakage of information to a third party impersonating an authorized user and thereby maintain the security of the printing system 3.
  • an administrator having administrative rights of the network 20 accesses a uniform resource locator (URL) of the authentication apparatus 31 by using, for example, a browser of the terminal 21 and registers tables as illustrated in FIGs. 15A through 15D .
  • URL uniform resource locator
  • FIGs. 15A through 15D are exemplary tables registered in the authentication DB according to the third embodiment.
  • the tables of FIGs. 15A through 15C are substantially the same as the tables of FIGs. 4A through 4C , and therefore their descriptions are omitted here.
  • the table of FIG. 15D stores company IDs of the same company or companies belonging to the same corporate group in association with a corporate group ID.
  • company IDs "1234", "1235", and "1236" are associated with a corporate group ID "G01".
  • a user having the company ID "1234" and operating an image forming apparatus 22 with the company ID "1235" can be successfully authenticated.
  • a print job registration process of the third embodiment is substantially the same as the print job registration process of the first embodiment, and therefore its description is omitted here.
  • a printing process of the third embodiment is different from the printing process of the first embodiment in step S12 (user authentication process) of FIG. 6 .
  • Other steps are substantially the same, and their descriptions are omitted here.
  • FIG. 16 is a flowchart illustrating an exemplary user authentication process.
  • the authentication apparatus 31 performs authentication of a user by referring to the table of FIG. 15A based on a user ID, a password, and a company ID sent from the image forming apparatus 22.
  • step S502 when the combination of the user ID, the password, and the company ID sent from the image forming apparatus 22 is registered in the table of FIG. 15A (or the authentication DB), the authentication apparatus 31 determines that the user is an authorized user. When the user is an authorized user, the authentication apparatus 31 determines, in step S505, that the authentication is successful.
  • the authentication apparatus 31 determines that the user is an authorized user and the authentication is successful.
  • this company ID may be referred to as a "reported company ID"
  • the authentication apparatus 31 proceeds to step S503.
  • step S503 the authentication apparatus 31 refers to the table of FIG. 15D to determine whether a company ID other than the reported company ID is registered in association with a corporate group ID associated with the reported company ID (i.e., whether another company ID is registered in the same record as the reported company ID).
  • the authentication apparatus 31 determines that the company ID "1234" is also associated with the corporate group ID "G01". When there is another company ID associated with a corporate group ID that is associated with the reported company ID, the authentication apparatus 31 replaces the reported company ID with the other company ID in step S504 and returns to step S502 to perform user authentication again.
  • the authentication apparatus 31 replaces the reported company ID "1235" with another company ID "1234" associated with the same corporate group ID "G01" in step S504 and performs user authentication again in step S502.
  • the company ID of the user is "1234", the user is successfully authenticated.
  • Step S504 may also be performed in a different manner. For example, when there is another company ID associated with the same corporate group ID as the reported company ID, the authentication apparatus 31 may be allowed to switch to another authentication DB including the other company ID and perform user authentication using the other authentication DB.
  • step S503 If no other company ID associated with the same corporate group ID as the reported company ID is found in step S503, the authentication apparatus 31 determines that the user is not an authorized user and the authentication is not successful. Steps following the user authentication are substantially the same as those described with reference to FIG. 6 in the first embodiment, and therefore their descriptions are omitted here.
  • a user can print a print file on an image forming apparatus 22 with a company ID different from the company ID of the user if those company IDs are associated with the same corporate group ID.
  • the printing system 3 of the third embodiment allows the user to print or process files on devices with different company IDs by associating the company IDs with each other.
  • a user belonging to the Japanese headquarters can print an uploaded print file by using an image forming apparatus 22 located in the US branch of the company A.
  • a fourth embodiment employs a method or mechanism different from the third embodiment to achieve substantially the same effect.
  • the printing system 3 used in the third embodiment is also used and therefore descriptions of the system configuration are omitted.
  • An information registration process according to the fourth embodiment is substantially the same as the information registration process in the first embodiment. That is, in the fourth embodiment, it is not necessary to register the table of FIG. 15D that stores company IDs of companies belonging to corporate groups in association with the corresponding corporate group IDs.
  • a print job registration process of the fourth embodiment is substantially the same as the print job registration process of the first embodiment, and therefore its description is omitted here.
  • a printing process of the fourth embodiment is different from the printing process of the first embodiment in step S315 of FIG. 7B .
  • Other steps are substantially the same, and their descriptions are omitted here.
  • step S315 in the printing process of the fourth embodiment the image forming apparatus 22 sends a company ID for device authentication, a company ID for user authentication, a user ID, a password, a device ID, and an application ID to the authentication service unit 12.
  • a company ID for device authentication a company ID for user authentication
  • a user ID a user ID
  • a password a device ID
  • an application ID an application ID to the authentication service unit 12.
  • the authentication service unit 12 confirms the validity of the company and the validity (location or presence) of the image forming apparatus 22 (device authentication) based on the company ID for device authentication.
  • the authentication service unit 12 also performs user authentication based on the company ID for user authentication. More specifically, the authentication service unit 12 performs user authentication by referring to the table of FIG. 4A (authentication DB) based on the user ID, the password, and the company ID for user authentication sent from the image forming apparatus 22.
  • the company ID for user authentication may be entered by the user, for example, on the same screen of the image forming apparatus 22 for entering the user ID and the password. In this case, however, even a user with a company ID that is the same as the company ID of the image forming apparatus 22 may also need to enter the company ID for user authentication on the screen of the image forming apparatus 22 for entering the user ID and password.
  • a screen for a user with a company ID that is the same as the company ID of the image forming apparatus 22 is provided separately from a screen for a user with a company ID that is different from the company ID of the image forming apparatus 22.
  • one screen may be shared by a user with a company ID that is the same as the company ID of the image forming apparatus 22 and a user with a company ID that is different from the company ID of the image forming apparatus 22.
  • whether a user has a company ID that is the same as the company ID of the image forming apparatus 22 is determined based on whether a company ID for user authentication is entered by the user.
  • Steps following step S316 are substantially the same as those in the first embodiment, and therefore their descriptions are omitted here.
  • the printing system 3 of the fourth embodiment allows a user to print or process a file on an image forming apparatus 22 with a company ID different from the company ID of the user by sending both of the company IDs for device authentication and user authentication from the image forming apparatus 22.
  • a mechanism for determining whether a company ID for device authentication and a company ID for user authentication are associated with the same corporate group ID is added to the mechanism of the fourth embodiment.
  • the printing system 3 used in the third embodiment is also used and therefore descriptions of the system configuration are omitted.
  • An information registration process according to the fifth embodiment is substantially the same as the information registration process in the third embodiment. That is, in the fifth embodiment, the table of FIG. 15D , which stores company IDs of companies belonging to corporate groups in association with the corresponding corporate group IDs, is registered in the authentication DB.
  • a print job registration process of the fifth embodiment is substantially the same as the print job registration process of the fourth embodiment, and therefore its description is omitted here.
  • a printing process of the fifth embodiment is different from the printing process of the fourth embodiment in the user authentication process performed in step S315 of FIG. 7B .
  • Other steps are substantially the same, and their descriptions are omitted here.
  • FIG. 17 is a flowchart illustrating an exemplary user authentication process according to the fifth embodiment.
  • step S601 of FIG. 17 the authentication apparatus 31 performs user authentication by referring to the table of FIG. 15A based on a user ID, a password, and a company ID for user authentication sent from the image forming apparatus 22.
  • step S602 when the combination of the user ID, the password, and the company ID for user authentication sent from the image forming apparatus 22 is registered in the table of FIG. 15A (or the authentication DB), the authentication apparatus 31 determines that the user is an authorized user. When the user is an authorized user, the authentication apparatus 31 proceeds to step S603.
  • step S603 the authentication apparatus 31 determines whether the company ID for user authentication and a company ID for device authentication sent from the image forming apparatus 22 are associated with the same corporate group ID by referring to the table of FIG. 15D .
  • the authentication apparatus 31 determines, in step S604, that the authentication is successful.
  • step S602 when it is determined, in step S602, that the combination of the user ID, the password, and the company ID for user authentication sent from the image forming apparatus 22 is not registered in the table of FIG. 15A , the authentication apparatus 31 determines, in step S605, that the user is not an authorized user and the authentication is not successful.
  • the authentication apparatus 31 determines, in step S605, that the user is not an authorized user and the authentication is not successful.
  • a company ID for device authentication and a company ID for user authentication are sent from the image forming apparatus 22 to the authentication apparatus 31 and the authentication apparatus 31 determines whether the company ID for device authentication and the company ID for user authentication are associated with the same corporate group ID.
  • the authentication service unit 12, the print job management service unit 13, and the asynchronous conversion service unit 15 are implemented, respectively, as the authentication apparatus 31, the print job management apparatus 32, and the asynchronous conversion apparatus 34, i.e., by separate information processing apparatuses 100.
  • the present invention is not limited to the above described configurations.
  • two or more of the authentication service unit 12, the print job management service unit 13, and the asynchronous conversion service unit 15 may be implemented by one information processing apparatus 100.
  • the image forming apparatus 22 is used as an example of a device. However, the present invention may also be applied to any other device such as a projector or a scanner that inputs and outputs image data.
  • the image forming apparatus 22 may be configured to output (or print) an image on various media in addition to or other than paper.
  • a company ID may be referred to as an "organization TD", an "organization identifier", or “organization identification information”. That is, a company ID (or an organization ID, an organization identifier, or organization identification information) is not limited to identification information for identifying a company, but may also represent identification information for identifying any other type of organization or group.
  • an "organization” is not limited to a company or a university, but may indicate a group of users or devices of any type.
  • identification information for identifying a contract for a group of users or devices may be used as a company ID (or an organization ID, an organization identifier, or organization identification information).
  • each of the printing systems 1-3 basically includes the terminal 21 for requesting registration of a job, the image forming apparatus 22 for outputting the job, and the information processing apparatus 100 that are connected to each other for communications.
  • the information processing apparatus 100 basically includes a function for converting electronic data (i.e., data to be processed in a job) sent from the terminal 21 into a format (e.g., print data for a printer or display data for a display) that the image forming apparatus 22 (or any other device) can process.
  • the present invention may be applied to, but is not limited to, any system having such a basic configuration.
  • Company codes/IDs (organization identification information or first/second organization identifiers), user IDs (user identification information or first/second user identifiers), and passwords are registered in advance by a user such as an administrator.
  • a user such as an administrator sends company codes, user IDs, and passwords from an administrator terminal to the authentication service unit 12 (or the authentication apparatus 31) to request their registration.
  • a registration unit (not shown) of the authentication service unit 12 registers the company codes, the user IDs, and the passwords in the authentication DB.
  • the registration unit is configured to not register plural sets of the same combination of a user ID and a password in association with one company code.
  • the registration unit determines whether a matching combination, which matches the combination of a company code, a user ID, and a password in the new registration request (which may be referred to as a "requested combination"), is present in the already-registered combinations (or records) in the authentication DB.
  • the registration unit reports it to the administrator terminal without registering the requested combination in the authentication DB.
  • the registration unit may be configured to display a confirmation screen to ask the administrator whether to overwrite the matching combination with the requested combination. When the administrator chooses to overwrite the matching combination, the registration unit overwrites the matching combination with the requested combination.
  • the registration unit determines whether a matching combination that matches the requested combination is present in the already-registered combinations (or records) in the authentication DB. When a matching combination is found, the registration unit overwrites the matching combination with the requested combination. Meanwhile, when no matching combination is found, the registration unit displays a confirmation screen to ask the administrator whether to register the requested combination as a new record or registers the requested combination without displaying the confirmation screen.
  • the registration unit is preferably configured to first identify an already-registered company code that matches a received company code and then determine whether a received combination of a user ID and a password is present in already-registered combinations of user IDs and passwords associated with the identified company code.
  • This configuration makes it possible to more efficiently determine the presence of a matching combination compared with a configuration where the registration unit first identifies already-registered combinations of user IDs and passwords that match the received combination of a user ID and a password and then determines whether the company codes associated with the identified combinations match the received company code.
  • external apparatuses may correspond to the terminal 21 and the image forming apparatus 22; an information processing system may correspond to any one of the printing systems 1-3; first and second receiving units may correspond to the print job management apparatus 32; first and second authentication units may correspond to the authentication apparatus 31; a storage unit may correspond to the authentication DB; and an output data receiving unit, an output data recording unit, and first and second output data transmitting units may correspond to the print job management apparatus 32.
  • An aspect of this disclosure provides an information processing system, an information processing apparatus, and an authentication method that make it possible to improve security.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Human Computer Interaction (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Accessory Devices And Overall Control Thereof (AREA)
  • Facsimiles In General (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
EP13153043.8A 2012-02-01 2013-01-29 Informationsverarbeitungssystem, Informationsverarbeitungsvorrichtung und Authentifizierungsverfahren Active EP2624123B1 (de)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2012020251 2012-02-01
JP2012111681 2012-05-15
JP2013001609A JP6098169B2 (ja) 2012-02-01 2013-01-09 情報処理システム、情報処理装置、プログラム及び認証方法

Publications (3)

Publication Number Publication Date
EP2624123A2 true EP2624123A2 (de) 2013-08-07
EP2624123A3 EP2624123A3 (de) 2014-05-07
EP2624123B1 EP2624123B1 (de) 2020-01-08

Family

ID=47740797

Family Applications (1)

Application Number Title Priority Date Filing Date
EP13153043.8A Active EP2624123B1 (de) 2012-02-01 2013-01-29 Informationsverarbeitungssystem, Informationsverarbeitungsvorrichtung und Authentifizierungsverfahren

Country Status (4)

Country Link
US (1) US9455970B2 (de)
EP (1) EP2624123B1 (de)
JP (1) JP6098169B2 (de)
CN (1) CN103248780B (de)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6056384B2 (ja) 2012-10-31 2017-01-11 株式会社リコー システム及びサービス提供装置
US9430637B2 (en) 2013-07-26 2016-08-30 Ricoh Company, Ltd. Service providing system and information gathering method
US9164710B2 (en) 2013-07-26 2015-10-20 Ricoh Company, Ltd. Service providing system and service providing method
US9189187B2 (en) 2013-07-30 2015-11-17 Ricoh Company, Ltd. Service providing system and service providing method for providing a service to a service usage device connected via a network
US9537849B2 (en) 2013-07-31 2017-01-03 Ricoh Company, Limited Service provision system, service provision method, and computer program product
US9736159B2 (en) * 2013-11-11 2017-08-15 Amazon Technologies, Inc. Identity pool bridging for managed directory services
CN104866476B (zh) * 2014-02-20 2019-06-25 联想(北京)有限公司 一种信息处理方法及服务器
JP6287401B2 (ja) * 2014-03-18 2018-03-07 富士ゼロックス株式会社 中継装置、システム及びプログラム
JP5913511B1 (ja) * 2014-09-29 2016-04-27 株式会社三井住友銀行 他社認証を利用したセキュリティ強化のための認証システム、認証方法、及び認証プログラム
JP6361439B2 (ja) * 2014-10-10 2018-07-25 富士ゼロックス株式会社 情報処理装置及び情報処理プログラム
JP2016116092A (ja) * 2014-12-16 2016-06-23 株式会社リコー 伝送システム、伝送管理システム、伝送端末、伝送方法、及びプログラム
JP6042955B1 (ja) * 2015-09-18 2016-12-14 株式会社Pfu 情報処理装置、システム、方法およびプログラム
DE112016005611T5 (de) * 2015-12-08 2018-09-06 Sony Corporation Informationsverarbeitungssystem, Informationsverarbeitungseinheit und Informationsverarbeitungsverfahren
JP6747103B2 (ja) * 2016-06-30 2020-08-26 ブラザー工業株式会社 画像処理装置、および、コンピュータプログラム
US10114594B2 (en) * 2016-09-30 2018-10-30 Riso Kagaku Corporation Printing apparatus with authentication function
US10769268B2 (en) * 2016-11-01 2020-09-08 Ricoh Company, Ltd. Information processing device, information processing system, and information processing method
JP2018097449A (ja) * 2016-12-09 2018-06-21 セイコーエプソン株式会社 受注システム、プリンター
JP6965653B2 (ja) * 2017-09-14 2021-11-10 株式会社リコー 情報処理装置、情報処理システム、情報処理方法及びプログラム
CN110515569A (zh) * 2018-08-30 2019-11-29 珠海奔图电子有限公司 图像形成装置的控制方法及控制系统
JP7166873B2 (ja) * 2018-10-25 2022-11-08 東芝テック株式会社 画像形成装置及び制御方法
JP7331532B2 (ja) * 2019-07-30 2023-08-23 京セラドキュメントソリューションズ株式会社 情報処理システム、情報処理装置、および情報処理方法
JP2022147999A (ja) * 2021-03-24 2022-10-06 富士フイルムビジネスイノベーション株式会社 情報処理装置及び情報処理プログラム

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008182699A (ja) 2007-01-24 2008-08-07 Toshiba Corp ドキュメント処理システムおよび方法

Family Cites Families (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5675782A (en) * 1995-06-06 1997-10-07 Microsoft Corporation Controlling access to objects on multiple operating systems
US6163383A (en) * 1996-04-17 2000-12-19 Fuji Xerox Co., Ltd. Method for providing print output security in a multinetwork environment
JPH1173392A (ja) * 1997-08-29 1999-03-16 Nec Corp ユーザid決定方法及び方式
AU4831500A (en) * 1999-05-10 2000-11-21 Andrew L. Di Rienzo Authentication
US6711677B1 (en) * 1999-07-12 2004-03-23 Hewlett-Packard Development Company, L.P. Secure printing method
WO2001061463A1 (fr) * 2000-02-21 2001-08-23 Seiko Epson Corporation Systeme intermediaire d'impression en reseau
EP1184779A4 (de) * 2000-02-21 2003-01-22 Seiko Epson Corp System um drucken an netzwerk zu vermitteln
US6795205B1 (en) * 2000-03-15 2004-09-21 Canon Kabushiki Kaisha Third-party authorization for home-based printing
US20020038420A1 (en) * 2000-04-13 2002-03-28 Collins Timothy S. Method for efficient public key based certification for mobile and desktop environments
JP2002132917A (ja) * 2000-10-26 2002-05-10 Fujitsu Ltd 印刷サービス方法、システム及びプリンタ
JP2002236577A (ja) * 2000-11-17 2002-08-23 Canon Inc 印刷処理における自動認証方法及びそのシステム
US7158623B1 (en) * 2001-02-27 2007-01-02 Verizon Data Services Inc. Method and apparatus for dial stream analysis
US20030061358A1 (en) * 2001-08-28 2003-03-27 Yolande Piazza Method and system for presenting charge related data on a worldwide basis through a network
JP2003099570A (ja) * 2001-09-21 2003-04-04 Fujitsu Ltd デジタル文書審議装置およびデジタル文書審議方法
US20040125402A1 (en) * 2002-09-13 2004-07-01 Yoichi Kanai Document printing program, document protecting program, document protecting system, document printing apparatus for printing out a document based on security policy
US6995857B2 (en) * 2004-01-23 2006-02-07 Vpr Matrix, Inc. System and method for routing service requests from a paired digital camera and transceiver module
US20060072541A1 (en) * 2004-09-28 2006-04-06 Vivian Pecus Network management system & method
WO2006095406A1 (ja) * 2005-03-07 2006-09-14 National Institute Of Information And Communications Technology 位置情報サーバシステム及びそれを用いた無線通信システム
JP2007048080A (ja) 2005-08-10 2007-02-22 Ricoh Co Ltd サービス提供装置,サービス提供方法及びサービス提供プログラム
JP4844104B2 (ja) * 2005-11-30 2011-12-28 富士ゼロックス株式会社 認証エージェント装置および認証方法
US8069153B2 (en) * 2005-12-02 2011-11-29 Salesforce.Com, Inc. Systems and methods for securing customer data in a multi-tenant environment
JP2007272583A (ja) * 2006-03-31 2007-10-18 Univ Waseda 情報共有システム、情報共有システムにおける認証方法、管理装置及び情報処理装置等
JP4757687B2 (ja) * 2006-03-31 2011-08-24 三菱電機株式会社 認証認可サーバ、認証認可システム、認証認可方法及び認証認可プログラム
US8201216B2 (en) * 2006-09-11 2012-06-12 Interdigital Technology Corporation Techniques for database structure and management
CN101179459A (zh) * 2006-11-07 2008-05-14 朗迅科技公司 Ims网络打印服务
US8577835B2 (en) * 2007-06-28 2013-11-05 Salesforce.Com, Inc. Method and system for sharing data between subscribers of a multi-tenant database service
JP5359530B2 (ja) * 2008-06-19 2013-12-04 株式会社リコー 印刷サービス提供方法、印刷サービス提供システム、呼制御サーバ及びプログラム
JP5299787B2 (ja) 2009-03-05 2013-09-25 キヤノンマーケティングジャパン株式会社 情報処理システムと認証サーバと、その処理方法およびプログラム
JP5600912B2 (ja) * 2009-09-24 2014-10-08 コニカミノルタ株式会社 画像出力装置およびその使用制限方法ならびにコンピュータプログラム
US8613059B2 (en) * 2009-12-18 2013-12-17 At&T Intellectual Property I, L.P. Methods, systems and computer program products for secure access to information
JP5293659B2 (ja) * 2010-03-18 2013-09-18 ブラザー工業株式会社 制御装置とコンピュータプログラム
US8832798B2 (en) * 2011-09-08 2014-09-09 International Business Machines Corporation Transaction authentication management including authentication confidence testing
US8189225B1 (en) * 2011-10-04 2012-05-29 Google Inc. Printing to a cloud printer via NFC
JP5936366B2 (ja) * 2012-01-19 2016-06-22 キヤノン株式会社 印刷システム、画像形成装置、中間処理装置、ウェブサービス提供装置、印刷システムの制御方法およびコンピュータプログラム
US9672071B2 (en) * 2013-09-10 2017-06-06 Vmware, Inc. Method and system for distributed processing of HTTP requests

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008182699A (ja) 2007-01-24 2008-08-07 Toshiba Corp ドキュメント処理システムおよび方法

Also Published As

Publication number Publication date
CN103248780A (zh) 2013-08-14
US20130198806A1 (en) 2013-08-01
EP2624123B1 (de) 2020-01-08
EP2624123A3 (de) 2014-05-07
CN103248780B (zh) 2016-01-20
US9455970B2 (en) 2016-09-27
JP2013257859A (ja) 2013-12-26
JP6098169B2 (ja) 2017-03-22

Similar Documents

Publication Publication Date Title
EP2624123B1 (de) Informationsverarbeitungssystem, Informationsverarbeitungsvorrichtung und Authentifizierungsverfahren
EP2624122B1 (de) Informationsverarbeitungssystem, Informationsverarbeitungsvorrichtung und Datenumwandlungsverfahren
US9288213B2 (en) System and service providing apparatus
KR101614578B1 (ko) 정보 처리 장치, 그 제어 방법, 저장 매체, 및 화상 처리 장치
US9608972B2 (en) Service providing system and data providing method that convert a process target data into output data with a data format that a service receiving apparatus is able to output
US10075444B2 (en) Information processing system, user terminal, and data processing device
US20150029535A1 (en) Service providing system and service providing method
US20140126016A1 (en) Information processing system, device, and information processing method
US20140068715A1 (en) Information processor, system and recording medium
US9497190B2 (en) Information processing apparatus, method of controlling the same, storage medium and information processing system
US11895108B2 (en) Service providing system, login setting method, and information processing system
JP6295532B2 (ja) 情報処理システム及び情報処理方法
US10182059B2 (en) Non-transitory computer readable medium storing a program causing a computer to permit a guest user to have utilization authority using a directory, and apparatus management system permitting a guest user to have utilization authority using a directory
JP2014059717A (ja) 情報処理システム、情報処理装置、機器、情報処理方法、及び情報処理プログラム
US11119712B2 (en) Image processing apparatus executing image process in accordance with setting including setting value specified for each setting category
US10469709B2 (en) Devices, systems, and methods for controlling a link with a storage server
US11995173B2 (en) Service providing system, application usage method, and information processing system
US11614904B2 (en) Printing device, information processing device, and control method and medium for the same
US11520543B2 (en) Image forming apparatus, printing system, control method, and storage medium
US11606361B2 (en) Cloud system, information processing system, and user registration method
JP7459649B2 (ja) クラウドシステム、情報処理システム、ユーザ登録方法
JP2013186849A (ja) 印刷システム
US11206255B2 (en) Information processing apparatus, authentication method, and non-transitory recording medium storing instructions for performing an information processing method
US20240192903A1 (en) Information processing system, control method for information processing system and storage medium
JP6838497B2 (ja) 情報処理システム及び情報処理方法

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20130129

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

PUAL Search report despatched

Free format text: ORIGINAL CODE: 0009013

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 3/12 20060101AFI20140402BHEP

Ipc: H04L 29/06 20060101ALN20140402BHEP

Ipc: G06F 21/60 20130101ALN20140402BHEP

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20180517

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 29/06 20060101ALN20190531BHEP

Ipc: G06F 3/12 20060101AFI20190531BHEP

Ipc: G06F 21/60 20130101ALN20190531BHEP

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 21/60 20130101ALN20190625BHEP

Ipc: G06F 3/12 20060101AFI20190625BHEP

Ipc: H04L 29/06 20060101ALN20190625BHEP

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20190802

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602013064776

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1223520

Country of ref document: AT

Kind code of ref document: T

Effective date: 20200215

REG Reference to a national code

Ref country code: NL

Ref legal event code: FP

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200531

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200508

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200409

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602013064776

Country of ref document: DE

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20200131

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200129

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1223520

Country of ref document: AT

Kind code of ref document: T

Effective date: 20200108

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200131

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200131

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200131

26N No opposition filed

Effective date: 20201009

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200129

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200108

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230522

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: NL

Payment date: 20240119

Year of fee payment: 12

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20240119

Year of fee payment: 12

Ref country code: GB

Payment date: 20240119

Year of fee payment: 12

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20240124

Year of fee payment: 12